We've recently completed a successful (but small) prototype/pilot program involving the collection of "hazard-identification" data from health care workers. Our "system" is comprised of 3 parts: a web-based data collection application, a data analysis application, and a database of stored data. Although we don't specifically solicit sensitive info (directly covered by HIPAA) the health care workers frequently include this sort of information in their reports (to add context, for follow-up, etc.).
For the pilot program all of this was accomplished via a dedicated hosted server. As we move forward, and expand, we're looking to implement a number of steps to insure that we remain HIPAA compliant "beyond the science project mode". In working with the tech support engineers at the Tier II SAS 70 data center that we intend to use, we're being told that "your data base needs to be maintained on a separate server from any data analysis program."
I understand the logic and rationale behind this -- and I appreciate the engineers input -- but I'd like to find a specific reference that stipulates the need for this particular set-up.
If anyone could point me in the right direction, that would be great!